Wednesday, June 20, 2012

Since 2006 when Adam Boileau released his research on exploiting machines using Firewire, we have had fun unlocking locked computers and imaging RAM from the same. With the release of Thunderbolt (TB) I wondered if the same issues surrounding Direct Memory Access (DMA) exists with that implementation. Turns out it does. The interesting thing about this is that allowing DMA provides much of the cool functionality that TB provides however this also provides an attack vector for physical access in the same way as Firewire. As this is due to an implementation in the hardware layer the OS remains blissfully unaware of whats going on.

Reading a blog on the subject this week there were many comments about it being a lame duck attack as physical access is needed, however, many in our community know that gaining access to a machine is often possible.

If a computer is dead then file level access is simple, however a Windows or Mac that is booted but password locked has always been a problem, however with TB now appearing on all Macs this could be rather a useful technique. It is notable that Lion appears to turn off DMA in certain circumstances but more work needs to be done to understand this fully.

Enter 'Inception', a very nice proof of concept tool from the Break n Enter blog. Some work has been done in this area and it seems to work pretty well in certain situations. I won't bother re-blogging everything, but I strongly recommend reading the page I linked to above and also the video which shows the extraction of RAM and the pwning of the FileVault password (loving the music too). Big shout out to them for the tool and the work.

I'll try and spend some time on this in the next few weeks and let you know how I get on.

Contact details

About Me

I've been working with computers since my ZX81, closely followed by an Oric 1 (if anyone remembers those?). In the past 11 years I've been working in the area of computer forensic investigation and research in both the Law enforcement and Corporate worlds.
I have trained 100's of investigators in the past few years in the area of Live Forensics and RAM Analysis.
Lately I have been working with Law enforcement agencies across Europe and the USA in both an operational and training capacity.

Computer forensics is an evolving science with constantly developing tools and techniques. CSITech, led by Nick Furneaux, is striving to be at the forefront of these developments working on tools and techniques for the collection and analysis of volatile data for both the Law Enforcement and Corporate worlds.